CyberWire Daily - Daily: DDoS concerns mount—not just Mirai botnets, but LDAP exploitation. Ukrainian hacktivists release emails they say belong to one of Putin's closest advisors. (Moscow says they're fake. Moscow's on its own.)
Episode Date: October 27, 2016In today's podcast, we hear more about the IoT worries people are sharing about both industrial systems and consumer-grade products. Iot device recalls continue. Analysts expect there are more, and wo...rse, DDoS attacks to come. Cyber espionage surfaces again in the Middle East. Yisroel Mirsky from Ben-Gurion University on machine learning research. Thomas Pore from Plixer on the Mirai botnet source code. And what's sauce for the goose, is sauce for the gander. Or so we hear, at least with doxing. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. consumer-grade products, and IoT device recalls continue. Analysts expect there's more to come.
Cyber espionage in the Middle East.
And what's good for the goose is good for the gander.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, October 27, 2016.
Last week's Mirai Botnet distributed denial-of-service attacks have focused attention on the Internet of Things.
Observers of utilities, especially electrical power generation, are warning that the attack
on Dain should serve as an indication of what could become extremely disruptive attacks
on essential services.
Schneider Electric, warned by responsible
disclosure from Israeli security shop Indigee, has patched its Unity Pro software, which is
widely used with programmable logic controllers or PLCs. The vulnerabilities Schneider fixed
could have been exploited to achieve remote code execution. We heard from Rod Schultz,
Rubicon Labs' vice president of products, who had this to say about the vulnerability Schneider Electric patched.
Quote,
It's tough to secure IoT devices because, as Schultz put it, quote, and an example of a type of attack that will be seen in the IoT. End quote.
It's tough to secure IoT devices, because, as Schultz put it,
quote, the world will not stop connecting devices to a network.
End quote.
And attackers are going to continue to go after them in increasingly creative ways,
for predictable, Willie Sutton-esque reasons.
That's where the metaphorical money is.
Schneider closed its patch notice with what it calls an important note.
It is up to user responsibility, says Schneider, to protect his application by a proper password.
And that's good advice for anyone.
The consumer-grade IoT devices exploited in the Mirai botnet also need some attention to password hygiene.
The U.S. Department of Homeland Security has advised everyone to disconnect their routers, security cameras, and similar devices, and then change
the device's names and passwords before reconnecting them. This is good advice, to be sure, but as a
matter of general internet hygiene, it's as unlikely to have effect as asking random people
on the street to stop littering, throw their used gum into a trash receptacle instead of ejecting it from mouth to sidewalk, and so on.
A couple of them will listen to you.
One of our stringers is particularly troubled by the advice.
He's not sure how many devices he has in his house
or how he'd go about making those changes.
And do femtocells count?
Probably.
DNS provider Dyn has offered more results of investigation into the distributed denial-of-service attack it sustained last week.
Sources in the U.S. intelligence community have been quoted as saying that those responsible were simply criminals, not state actors.
But investigation of these attacks is ongoing, and so Dyn won't speculate about either the identity of the attackers or their motives. The company has, however, confirmed that the attack was mounted
using a Mirai botnet. About 100,000 devices were implicated, which is significantly fewer than
earlier estimates had placed the number. The attackers used masked TCP and UDP traffic across Port 53. They also employed recursive DNS retry traffic.
Device manufacturer Shomai is continuing its recall of the webcams
said to have been compromised and used in the attacks.
Thomas Poore is director of IT and services at Plixer.
They took a look at the Mirai Botnet source code and offered some observations
about what they found.
When the author pushed the source code out, it took a peek through it, and it was actually incredibly simple. You know, while it's interesting that a botnet of that size and caliber could be built in such an easy, simplistic way.
in such an easy, simplistic way.
And so what would happen is the original malware would scan,
and it would locate a DVR with default credentials.
It would then compromise, install itself,
and essentially it was running in memory.
So if the DVR were rebooted at any time, then the malware would be erased,
and that DVR would again be public-facing and ready to be compromised again.
Now, what was interesting is when the malware installed itself,
it went through its own C2 behavior, and then it started performing its own scanning.
And when the scanning occurred, it was trying to locate and, in fact, increase the size of the botnet.
Is the fact that the source code wasn't terribly sophisticated, does that mean that the attack
wasn't sophisticated?
No, that's not necessarily true.
And, in fact, the concept is rather genius.
That's not necessarily true.
And in fact, the concept is rather genius.
So traditionally, a botnet is comprised of compromised PCs achieved through phishing attempts and people downloading malware.
Now, what's great about this concept is the author doesn't have to pay for those spamming services.
And we don't need to have user interaction for these to get infected.
So while it's simple, it's actually very genius,
and it can be set up by most security professionals probably within 30 minutes.
And to the person who was using the DVR or the person who was using the video camera,
would they even notice that anything was amiss?
So they probably wouldn't, unless of course the DOS attack exhausted their entire outbound connection. But again, not many people sit there and continually watch their
DVRs or their cameras. They're more set up for recording purposes in case they need to go and review an incident. So it's likely that the owners had no idea.
That's Thomas Poore from Plixer.
Analysts warn that more attacks like this can be expected, and in fact, they've already occurred.
Singapore's StarHub experienced waves of attacks on Saturday and again on Monday.
There are unfortunate opportunities for synergy
among various approaches to distributed denial of service. Carrero reports observing exploitation
of Lightweight Directory Access Protocol, LDAP, to amplify DDoS attack traffic over the weekend.
The company warns that LDAP exploitation combined with a Mirai botnet could prove
extremely serious, surpassing even the very large effects seen last week.
Internationally, the French government looks at ongoing U.S. experience
with online political meddling, which the U.S. has ascribed to Moscow,
and warns candidates in French elections that they should expect
to be on the receiving end of similar ministrations.
U.S. intelligence sources say ISIS, under intense physical pressure though it may be,
continues to seek to inspire attacks online from its Syrian headquarters in Raqqa.
Elsewhere in the Middle East, Vectra Networks says it's found an extensive cyber espionage
campaign, Moonlight, operated by Hamas against unnamed targets in the region.
Moonlight, operated by Hamas against unnamed targets in the region.
In industry news, network security company Tenable has made its first acquisition,
San Francisco-based container security shop Flawcheck,
and Adobe yesterday issued an emergency patch for Flash,
closing a vulnerability that has been under active exploitation in the wild.
And finally, in the sauce for the gander department, CyberHunta, thought to be a Ukrainian hacktivist group, has doxxed Putin advisor Vladislav Surkov, releasing emails that indicate
Surkov's connections with Russian separatists fighting inside Ukraine.
The Russian government has long denied such support, but vanishingly few observers believe
those denials,
as there's a great deal of evidence to the contrary both online and on the ground.
President Putin says the emails are fabricated.
Surkov doesn't use electronic mail, he said.
Well, okay, Vlad, if you say so.
If you say so.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
Joining me once again is Israel Murski.
He's a PhD candidate, researcher, and project manager at the Cybersecurity Research Center at Ben Gurion University.
I know one of the strengths of your lab there, of the Cybersecurity Research Center, is machine learning.
Tell us about some of the work that you're doing with that.
Sure. There's a great synergy between cybersecurity and machine learning, and that's for several reasons.
First of all, what is machine learning?
cybersecurity and machine learning. And that's for several reasons. First of all, what is machine learning? Machine learning is any process by which a system improves performance from experience.
So that means the more data you give, whatever code or algorithm you've developed, and it improves
its performance in deciding things, for example, that's machine learning. And that could be applied
to many different applications. And in the domain of security,
you can talk about whether it be intrusion detection in a network, you can talk about
spam detection for emails and credit card fraud, or user authentication for a smartphone.
And we do quite a lot of different research in many different aspects. For example,
in the project that I'm managing for data leakage prevention for smartphones,
we take a look at all sorts of simple sensors, such as accelerometer or CPU usage, things that
don't require high level privileges. And we try to infer whether an application is doing something
that is malicious or not. So we can build a general model, for example, how Angry Birds performs,
and based on that, trying to determine when it's doing something malicious.
And I'll give you an example where our project really comes into play is where we take into
account the context of the user. So for example, if we understand that the user never sends SMSs
while he's running, then it's obvious that if an SMS is sent and we can tell that
by the motion of the device that he's running, there is possibly some sort of premium SMS
malware that's trying to get money from the user.
And we try to build a general model that learns this all automatically.
And going back to why machine learning is important to security, it's because of basically
three reasons.
One is availability.
We have lots of data, lots of logs, for example.
We want to perform acquisition.
We want to utilize this data for some purpose.
And we want to perform automation.
We want to do it automatically.
One last thing to mention, though, is the aspect of the security of machine learning.
though, is the aspect of the security of machine learning.
Now, in many cases, you can build this sort of machine learning model quite easily on data to try and predict perhaps a malicious spam email, for example.
And what happens is that if the attacker also knows that you're using machine learning,
he can try and attack your model, whether it be in some sort of causative attack or exploratory attack.
Causative, he'll try and perhaps send specific emails
that will poison your model and try and mislead it
in thinking certain things are malicious or not.
And exploratory, we'll try and find those holes
that you're not really looking at.
And this is a whole other new domain of machine learning
that's growing quite fast
because security machine learning
or using machine learning for security
is very advantageous
but also it's you have to be cautious because there's always this case of a kind of arms race
of who's going to get there first the attacker or the defender israel mursky thanks for joining us And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact, Thank you. role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.